[SOLVED] Cent 5.8 Firewall allowing 224.0.0.251 on port 5353
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Cent 5.8 Firewall allowing 224.0.0.251 on port 5353
Just wondering if anyone here knows why a default install of CentOS has this line:
Code:
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
In /etc/sysconfig/iptables
I'm not sure why it opens this up, and Google reveals little other than it is 'multicast DNS' (plus a ton of conspiracy theories).
I'm guessing it's safe to comment this out?
Just expanding on that, I'm not sure default rules like this:
Quote:
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Are ideal either especially when it has no web server installed, has a live sendmail installed by default (not tested for open relay yet), has no printer, let alone the need to offer CUPS to other clients, and as for 60 and 51 - I'm at a loss to understand the need to open those by default.
Last edited by leslie_jones; 04-09-2012 at 10:35 AM.
22 is the default port for ssh (sshd) which is also used by scp/sftp. If you want access to the system via ssh (e.g. from another server or using something like PuTTY on Windows) scp or sftp you either need to have this open or change the port used sshd to something else and open that port (then close 22).
25 is for telnet and shouldn't be open by default in my opinion.
However, it doesn't matter if a port is "open" unless you're LISTENing on that port. Therefore the first thing you ought to check is whether the port is in fact LISTENing.
Doing "lsof -i :5353" shows me that it is avahi-daemon that is LISTENing on that port on my CentOS box. You'd want to understand what this daemon does before you decided to block it.
Doing lsof -i :<port> for the other ports you questioned should tell you what if anything is happening on those ports. Rather than simply blocking the ports by disabling in iptables you might want to disable whatever is LISTENing (e.g. cupsd for cups, xinetd service for telnetd maybe - see /etc/xinetd.d files). Disabling the ports in iptables if not necessary is a good idea but if nothing is LISTENing it doesn't matter if you haven't blocked them as no connection can be made to a port that isn't LISTENing from outside to inside your system.
I'd already looked through those links, and they are most MacEsque in tone.
It basically, for a desktop machine with no services running on it, looks like a bum set of rules to have with a default install, but I guess that comes down to Cent from the upstream.
I'll just kill them, no problem, but I wondered why they were there by default, particularly 5353.
I'd already looked through those links, and they are most MacEsque in tone.
It basically, for a desktop machine with no services running on it, looks like a bum set of rules to have with a default install, but I guess that comes down to Cent from the upstream.
I'll just kill them, no problem, but I wondered why they were there by default, particularly 5353.
Did you read my post? I told you it is for avahi-daemon.
Did you read my post? I told you it is for avahi-daemon.
I'll be totally honest, when I read the line:
Code:
25 is for telnet and shouldn't be open by default in my opinion.
I skipped on because I knew it was not accurate. It was not a deliberate act or disrespect - it's just a subliminal thing, which is why I'm putting my hands up and saying 'no, I didn't read all of it' and trying to say why without being rude or smug, just honest.
avahi-daemon
Quote:
"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared."
Yuk - that's sounds a bit uPNP-ish-esque to me and something I'd definitely NOT want alive and kicking by default, or open. I can't think of any reasons why I would ever want to use this?
Thank you for solving the mystery and my apologies for not reading your post properly - I have told myself off and I am honestly grateful for the answer.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.